VMware vSphere encryption was first introduced in vSphere 6.5 and vSAN 6.6, enabling encryption in both virtual machine and disk storage. It only requires the vCenter vSphere Server, a third-party Key Management Server, and ESXi host to work. Security nowadays is very crucial, and encryption provides a solution towards cyber threats. If anyone gets a copy of the raw VMDKs, it can be easily mounted on a VMware server. Hence, the feature getting widely adapted by many organizations.
Backup Exec provides support for encrypted VMware Virtual Machines stating with VMware 6.5. The Virtual Machines must be preconfigured for VM Encryption per VMware Documentation. Encrypt an Existing Virtual Machine or Virtual Disk Virtual Machine Encryption
For the default backup job settings, it will use the NBD transport mode and the user can also select Network transport mode with SSL. Encrypted VM using the HotAdd method can be backed up if Backup Exec server VM is encrypted as well. Permissions required - Cryptographer.Access, Cryptographer.AddDisk
SAN transport mode is not currently supported for backups of encrypted virtual machines.
File GRT and Application GRT are supported during backup & restore.
The backup is taken in decrypted format, hence when a backed-up virtual machine is restored, it is restored in decrypted format. The common Key Management Server (KMS) or Key Management Server is not required during a restore job. Restore or Redirect restores of VM's can be performed back to vCenter, ESXi hosts, and NTFS file systems.
Validate VM for recovery and Instant recovery feature is also supported for encrypted VMware Virtual Machines. So with all the added security benefits to encrypting VMware virtual machines, this is certainly a security feature that most users will want to secure sensitive virtual machines running in the environment. With Backup Exec, you get a simple, powerful solution that ensures your business-critical data is never at risk of being lost, stolen or corrupted.